* Copyright (c) 2011-2021 Google, Inc. All rights reserved.
* Copyright (c) 2003-2010 VMware, Inc. All rights reserved.
* **********************************************************/
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
*
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
*
* * Neither the name of VMware, Inc. nor the names of its contributors may be
* used to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
* SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
* DAMAGE.
*/
* ntdll.h
* Routines for calling Windows system calls via the ntdll.dll wrappers.
* We return a bool instead of NTSTATUS, for most cases.
*
* New routines however should return the raw NTSTATUS and leave to
* the callers to report or act on some specific failure. Should use
* NT_SUCCESS to verify success, luckily here 0 indicates success, so
* misuse as a bool will be caught easily.
*/
#ifndef _NTDLL_H_
#define _NTDLL_H_ 1
#define WIN32_LEAN_AND_MEAN
#include <windows.h>
#include <stddef.h>
#include "ntdll_types.h"
#include "globals_shared.h"
#include "ntdll_shared.h"
#pragma warning(disable : 4214)
* Some syscalls are at certain points in win32 API internal state
* such that doing so causes problems.
*/
* loader lock acquisitions by kernel32.GetProcAddress (Bug 411).
* This should serve as an example why using kernel32 functions is not safe.
*/
Since there is no official header file exporting these,
we encapsulate signatures obtained from other sources.
*/
#define GET_NTDLL(NtFunction, signature) NTSYSAPI NTSTATUS NTAPI NtFunction signature
* Structs and defines.
* Mostly from either Windows NT/2000 Native API Reference's ntdll.h
* or from the ddk's header files.
* These were generated from such headers to make
* information necessary for userspace to call into the Windows
* kernel available to DynamoRIO. They include only constants,
* structures, and macros generated from the original headers, and
* thus, contain no copyrightable information.
*/
#define NT_CURRENT_PROCESS ((HANDLE)PTR_UINT_MINUS_1)
#define NT_CURRENT_THREAD ((HANDLE)(ptr_uint_t)-2)
* defined in globals.h to _WIN32_WINNT_NT4, thus the need for this re-definition.
*/
#ifndef ATTACH_PARENT_PROCESS
# define ATTACH_PARENT_PROCESS ((DWORD)-1)
#endif
#ifdef X64
typedef struct _UNICODE_STRING_32 {
USHORT Length;
USHORT MaximumLength;
uint Buffer;
} UNICODE_STRING_32;
typedef struct _RTL_USER_PROCESS_PARAMETERS_32 {
uint Reserved[14];
UNICODE_STRING_32 ImagePathName;
UNICODE_STRING_32 CommandLine;
uint Environment;
} RTL_USER_PROCESS_PARAMETERS_32, *PRTL_USER_PROCESS_PARAMETERS_32;
#else
typedef struct ALIGN_VAR(8) _UNICODE_STRING_64 {
USHORT Length;
USHORT MaximumLength;
int padding;
union {
struct {
PWSTR Buffer32;
uint Buffer32_hi;
} b32;
uint64 Buffer64;
} u;
} UNICODE_STRING_64;
typedef struct _RTL_USER_PROCESS_PARAMETERS_64 {
BYTE Reserved1[16];
uint64 Reserved2[10];
UNICODE_STRING_64 ImagePathName;
UNICODE_STRING_64 CommandLine;
uint64 Environment;
} RTL_USER_PROCESS_PARAMETERS_64, *PRTL_USER_PROCESS_PARAMETERS_64;
#endif
#define DIRECTORY_QUERY (0x0001)
#define DIRECTORY_TRAVERSE (0x0002)
#define DIRECTORY_CREATE_OBJECT (0x0004)
#define DIRECTORY_CREATE_SUBDIRECTORY (0x0008)
#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
typedef struct _PEB_LDR_DATA {
ULONG Length;
BOOLEAN Initialized;
PVOID SsHandle;
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;
typedef struct _RTL_BALANCED_NODE {
union {
struct _RTL_BALANCED_NODE *Children[2];
struct {
struct _RTL_BALANCED_NODE *Left;
struct _RTL_BALANCED_NODE *Right;
};
};
union {
UCHAR Red : 1;
UCHAR Balance : 2;
ULONG_PTR ParentValue;
};
} RTL_BALANCED_NODE, *PRTL_BALANCED_NODE;
#define RTL_BALANCED_NODE_PARENT_VALUE(rbn) \
((PRTL_BALANCED_NODE)((rbn)->ParentValue & (~3)))
typedef struct _RTL_RB_TREE {
PRTL_BALANCED_NODE Root;
PRTL_BALANCED_NODE Min;
} RTL_RB_TREE, *PRTL_RB_TREE;
typedef enum _LDR_DLL_LOAD_REASON {
LoadReasonStaticDependency = 0,
LoadReasonStaticForwarderDependency = 1,
LoadReasonDynamicForwarderDependency = 2,
LoadReasonDelayloadDependency = 3,
LoadReasonDynamicLoad = 4,
LoadReasonAsImageLoad = 5,
LoadReasonAsDataLoad = 6,
LoadReasonUnknown = -1,
} LDR_DLL_LOAD_REASON;
* i.e., for InInit*Order*, Flink points 16 bytes into the LDR_MODULE structure.
* The MS symbols refer to this data struct as ntdll!_LDR_DATA_TABLE_ENTRY
*/
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
union {
struct {
HANDLE SectionHandle;
ULONG CheckSum;
};
LIST_ENTRY HashLinks;
};
ULONG TimeDateStamp;
PVOID EntryPointActivationContext;
PVOID PatchInformation;
* Below here is Win8-only. Win7 has some different, incompatible
* fields. We only need to access things below here on Win8.
*/
PVOID DdagNode;
LIST_ENTRY NodeModuleLink;
PVOID SnapContext;
PVOID ParentDllBase;
PVOID SwitchBackContext;
RTL_BALANCED_NODE BaseAddressIndexNode;
RTL_BALANCED_NODE MappingInfoIndexNode;
ULONG_PTR OriginalBase;
LARGE_INTEGER LoadTime;
ULONG BaseNameHashValue;
LDR_DLL_LOAD_REASON LoadReason;
} LDR_MODULE, *PLDR_MODULE;
* and vice versa (for injection from 32-bit into a 64-bit child).
* Not all IMAGE_OPTIONAL_HEADER fields are affected, only ImageBase,
* LoaderFlags, NumberOfRvaAndSizes, SizeOf{Stack,Heap}{Commit,Reserve},
* and DataDirectory, of which we use only ImageBase and DataDirectory.
* All other fields happen to have the same offsets and sizes in both
* IMAGE_OPTIONAL_HEADER32 and IMAGE_OPTIONAL_HEADER64.
*/
* it is used directly in process_image() just when the module processing
* begins, we don't have to do all the checks here.
*/
#define OPT_HDR(nt_hdr_p, field) OPT_HDR_BASE(nt_hdr_p, field, )
#define OPT_HDR_P(nt_hdr_p, field) OPT_HDR_BASE(nt_hdr_p, field, (app_pc) &)
#define OPT_HDR_BASE(nt_hdr_p, field, amp) \
((nt_hdr_p)->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC \
? amp(((IMAGE_OPTIONAL_HEADER32 *)&((nt_hdr_p)->OptionalHeader))->field) \
: amp(((IMAGE_OPTIONAL_HEADER64 *)&((nt_hdr_p)->OptionalHeader))->field))
enum { MAX_MODULE_LIST_INFINITE_LOOP_THRESHOLD = 2048 };
* these defines are (some of the) regular LDR_MODULE.Flags values.
* Windows 8 has these as named bitfields so we now have official
* confirmation.
*/
#define LDR_PROCESS_STATIC_IMPORT 0x00000020
#define LDR_IMAGE_IS_DLL 0x00000004
#define LDR_LOAD_IN_PROGRESS 0x00001000
#define LDR_UNLOAD_IN_PROGRESS 0x00002000
#define LDR_NO_DLL_CALLS 0x00040000
#define LDR_PROCESS_ATTACHED 0x00080000
#define LDR_MODULE_REBASED 0x00200000
typedef struct _PEBLOCKROUTINE *PPEBLOCKROUTINE;
typedef struct _PEB_FREE_BLOCK *PPEB_FREE_BLOCK;
typedef PVOID *PPVOID;
typedef struct _RTL_BITMAP {
ULONG SizeOfBitMap;
LPBYTE BitMapBuffer;
} RTL_BITMAP, *PRTL_BITMAP;
typedef const RTL_BITMAP *PCRTL_BITMAP;
* changed some PVOID types to more specific types.
* Later updated to win8 pdb info.
*/
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged;
#if 0
BOOLEAN ImageUsesLargePages:1;
BOOLEAN SpareBits:7;
#else
BOOLEAN ImageUsesLargePages;
#endif
HANDLE Mutant;
PVOID ImageBaseAddress;
PPEB_LDR_DATA LoaderData;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
PVOID SubSystemData;
PVOID ProcessHeap;
PRTL_CRITICAL_SECTION FastPebLock;
#if 0
PVOID AtlThunkSListPtr;
PVOID SparePtr2;
#else
PPEBLOCKROUTINE FastPebLockRoutine;
PPEBLOCKROUTINE FastPebUnlockRoutine;
#endif
DWORD EnvironmentUpdateCount;
PVOID KernelCallbackTable;
#if 0
DWORD SystemReserved[1];
DWORD SpareUlong;
#else
DWORD EvengLogSection;
DWORD EventLog;
#endif
PPEB_FREE_BLOCK FreeList;
DWORD TlsExpansionCounter;
PRTL_BITMAP TlsBitmap;
DWORD TlsBitmapBits[2];
PVOID ReadOnlySharedMemoryBase;
PVOID ReadOnlySharedMemoryHeap;
PPVOID ReadOnlyStaticServerData;
PVOID AnsiCodePageData;
PVOID OemCodePageData;
PVOID UnicodeCaseTableData;
DWORD NumberOfProcessors;
DWORD NtGlobalFlag;
LARGE_INTEGER CriticalSectionTimeout;
ptr_uint_t HeapSegmentReserve;
ptr_uint_t HeapSegmentCommit;
ptr_uint_t HeapDeCommitTotalFreeThreshold;
ptr_uint_t HeapDeCommitFreeBlockThreshold;
DWORD NumberOfHeaps;
DWORD MaximumNumberOfHeaps;
PPVOID ProcessHeaps;
PVOID GdiSharedHandleTable;
PVOID ProcessStarterHelper;
DWORD GdiDCAttributeList;
PRTL_CRITICAL_SECTION LoaderLock;
DWORD OSMajorVersion;
DWORD OSMinorVersion;
WORD OSBuildNumber;
WORD OSCSDVersion;
DWORD OSPlatformId;
DWORD ImageSubsystem;
DWORD ImageSubsystemMajorVersion;
DWORD ImageSubsystemMinorVersion;
ptr_uint_t ImageProcessAffinityMask;
#ifdef X64
DWORD GdiHandleBuffer[60];
#else
DWORD GdiHandleBuffer[34];
#endif
PVOID PostProcessInitRoutine;
PVOID TlsExpansionBitmap;
DWORD TlsExpansionBitmapBits[32];
DWORD SessionId;
ULARGE_INTEGER AppCompatFlags;
ULARGE_INTEGER AppCompatFlagsUser;
PVOID pShimData;
PVOID AppCompatInfo;
UNICODE_STRING CSDVersion;
PVOID ActivationContextData;
PVOID ProcessAssemblyStorageMap;
PVOID SystemDefaultActivationContextData;
PVOID SystemAssemblyStorageMap;
ptr_uint_t MinimumStackCommit;
PPVOID FlsCallback;
LIST_ENTRY FlsListHead;
PRTL_BITMAP FlsBitmap;
DWORD FlsBitmapBits[4];
DWORD FlsHighIndex;
PVOID WerRegistrationData;
PVOID WerShipAssertPtr;
PVOID pUnused;
PVOID pImageHeaderHash;
union {
ULONG TracingFlags;
struct {
ULONG HeapTracingEnabled : 1;
ULONG CritSecTracingEnabled : 1;
ULONG LibLoaderTracingEnabled : 1;
ULONG SpareTracingBits : 29;
};
};
ULONG64 CsrServerReadOnlySharedMemoryBase;
* ntdll!Wow64SystemServiceCall tests bit 0x2 to decide whether to go into
* the WOW64 layer.
*/
DWORD Unknown;
DWORD Wow64SyscallFlags;
} PEB, *PPEB;
#ifndef _W64
# define _W64
#endif
#ifndef X64
typedef _W64 long LONG_PTR, *PLONG_PTR;
typedef _W64 unsigned long ULONG_PTR, *PULONG_PTR;
typedef ULONG KAFFINITY;
#endif
typedef struct _KERNEL_USER_TIMES {
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
} KERNEL_USER_TIMES;
typedef struct _PROCESS_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PPEB PebBaseAddress;
ULONG_PTR AffinityMask;
KPRIORITY BasePriority;
ULONG_PTR UniqueProcessId;
ULONG_PTR InheritedFromUniqueProcessId;
} PROCESS_BASIC_INFORMATION;
typedef PROCESS_BASIC_INFORMATION *PPROCESS_BASIC_INFORMATION;
typedef struct _DESCRIPTOR_TABLE_ENTRY {
ULONG Selector;
LDT_ENTRY Descriptor;
} DESCRIPTOR_TABLE_ENTRY, *PDESCRIPTOR_TABLE_ENTRY;
typedef struct _VM_COUNTERS {
SIZE_T PeakVirtualSize;
SIZE_T VirtualSize;
ULONG PageFaultCount;
SIZE_T PeakWorkingSetSize;
SIZE_T WorkingSetSize;
SIZE_T QuotaPeakPagedPoolUsage;
SIZE_T QuotaPagedPoolUsage;
SIZE_T QuotaPeakNonPagedPoolUsage;
SIZE_T QuotaNonPagedPoolUsage;
SIZE_T PagefileUsage;
SIZE_T PeakPagefileUsage;
} VM_COUNTERS;
typedef struct _PROCESS_DEVICEMAP_INFORMATION {
union {
struct {
HANDLE DirectoryHandle;
} Set;
struct {
ULONG DriveMap;
UCHAR DriveType[32];
} Query;
};
#ifdef X64
ULONG Flags;
#endif
} PROCESS_DEVICEMAP_INFORMATION, *PPROCESS_DEVICEMAP_INFORMATION;
#if defined(NOT_DYNAMORIO_CORE)
# ifndef bool
typedef char bool;
# endif
typedef unsigned __int64 uint64;
#endif
* _JOBOBJECT_EXTENDED_LIMIT_INFORMATION and _IO_COUNTERS
*/
#if !defined(NOT_DYNAMORIO_CORE) && !defined(NOT_DYNAMORIO_CORE_PROPER)
* ProcessPooledQuotaLimits or for NtSetInformationProcess using
* ProcessQuotaLimits */
* working set or the other values: only when both
* MinimumWorkingSetSize and MaximumWorkingSetSize are non-zero
* working set is adjusted, and the other values are ignored.
* (Nebbett p.141)
*
* Job and working set note from MSDN "Processes can still empty their
* working sets using the SetProcessWorkingSetSize function, even when
* JOB_OBJECT_LIMIT_WORKINGSET is used. However, you cannot use
* SetProcessWorkingSetSize to change the minimum or maximum working
* set size."
*/
* NtQueryInformationProcess ProcessWorkingSetWatch
*/
typedef struct _PROCESS_WS_WATCH_INFORMATION {
PVOID FaultingPc;
PVOID FaultingVa;
} PROCESS_WS_WATCH_INFORMATION, *PPROCESS_WS_WATCH_INFORMATION;
typedef struct _POOLED_USAGE_AND_LIMITS {
SIZE_T PeakPagedPoolUsage;
SIZE_T PagedPoolUsage;
SIZE_T PagedPoolLimit;
SIZE_T PeakNonPagedPoolUsage;
SIZE_T NonPagedPoolUsage;
SIZE_T NonPagedPoolLimit;
SIZE_T PeakPagefileUsage;
SIZE_T PagefileUsage;
SIZE_T PagefileLimit;
} POOLED_USAGE_AND_LIMITS;
typedef POOLED_USAGE_AND_LIMITS *PPOOLED_USAGE_AND_LIMITS;
* NtSetInformationProcess ProcessAccessToken
* PROCESS_SET_ACCESS_TOKEN access needed to use
*/
typedef struct _PROCESS_ACCESS_TOKEN {
HANDLE Token;
HANDLE Thread;
} PROCESS_ACCESS_TOKEN, *PPROCESS_ACCESS_TOKEN;
# define JOB_OBJECT_LIMIT_WORKINGSET 0x00000001
# define JOB_OBJECT_LIMIT_PROCESS_TIME 0x00000002
# define JOB_OBJECT_LIMIT_JOB_TIME 0x00000004
# define JOB_OBJECT_LIMIT_ACTIVE_PROCESS 0x00000008
# define JOB_OBJECT_LIMIT_AFFINITY 0x00000010
# define JOB_OBJECT_LIMIT_PRIORITY_CLASS 0x00000020
# define JOB_OBJECT_LIMIT_PRESERVE_JOB_TIME 0x00000040
# define JOB_OBJECT_LIMIT_SCHEDULING_CLASS 0x00000080
# define JOB_OBJECT_LIMIT_PROCESS_MEMORY 0x00000100
# define JOB_OBJECT_LIMIT_JOB_MEMORY 0x00000200
# define JOB_OBJECT_LIMIT_DIE_ON_UNHANDLED_EXCEPTION 0x00000400
# define JOB_OBJECT_LIMIT_BREAKAWAY_OK 0x00000800
# define JOB_OBJECT_LIMIT_SILENT_BREAKAWAY_OK 0x00001000
# define JOB_OBJECT_LIMIT_KILL_ON_JOB_CLOSE 0x00002000
#endif
referred to in WINNT.H as _EXCEPTION_REGISTRATION_RECORD */
typedef struct _EXCEPTION_REGISTRATION {
struct _EXCEPTION_REGISTRATION *prev;
PVOID handler;
} EXCEPTION_REGISTRATION, *PEXCEPTION_REGISTRATION;
typedef struct _GDI_TEB_BATCH {
ULONG Offset;
HANDLE HDC;
ULONG Buffer[0x136];
} GDI_TEB_BATCH;
* later updated to win8 pdb info.
*/
typedef struct _TEB {
PEXCEPTION_REGISTRATION ExceptionList;
PVOID StackBase;
PVOID StackLimit;
PVOID SubSystemTib;
union {
PVOID FiberData;
DWORD Version;
};
PVOID ArbitraryUserPointer;
struct _TEB *Self;
PVOID EnvironmentPointer;
CLIENT_ID ClientId;
PVOID ActiveRpcHandle;
PVOID ThreadLocalStoragePointer;
PEB *ProcessEnvironmentBlock;
DWORD LastErrorValue;
DWORD CountOfOwnedCriticalSections;
PVOID CsrClientThread;
PVOID Win32ThreadInfo;
DWORD User32Reserved[26];
DWORD UserReserved[5];
PVOID WOW32Reserved;
DWORD CurrentLocale;
DWORD FpSoftwareStatusRegister;
PVOID SystemReserved1[54];
LONG ExceptionCode;
PVOID ActivationContextStackPointer;
#ifdef X64
byte SpareBytes1[24];
#else
byte SpareBytes1[36];
#endif
DWORD TxFsContext;
GDI_TEB_BATCH GdiTebBatch;
CLIENT_ID RealClientId;
PVOID GdiCachedProcessHandle;
DWORD GdiClientPID;
DWORD GdiClientTID;
PVOID GdiThreadLocalInfo;
ptr_uint_t Win32ClientInfo[62];
PVOID glDispatchTable[233];
ptr_uint_t glReserved1[29];
PVOID glReserved2;
PVOID glSectionInfo;
PVOID glSection;
PVOID glTable;
PVOID glCurrentRC;
PVOID glContext;
DWORD LastStatusValue;
UNICODE_STRING StaticUnicodeString;
WORD StaticUnicodeBuffer[261];
PVOID DeallocationStack;
PVOID TlsSlots[64];
LIST_ENTRY TlsLinks;
PVOID Vdm;
PVOID ReservedForNtRpc;
PVOID DbgSsReserved[2];
DWORD HardErrorMode;
PVOID Instrumentation[14];
PVOID SubProcessTag;
PVOID EtwTraceData;
PVOID WinSockData;
DWORD GdiBatchCount;
byte InDbgPrint;
byte FreeStackOnTermination;
byte HasFiberData;
byte IdealProcessor;
DWORD GuaranteedStackBytes;
PVOID ReservedForPerf;
PVOID ReservedForOle;
DWORD WaitingOnLoaderLock;
ptr_uint_t SparePointer1;
ptr_uint_t SoftPatchPtr1;
ptr_uint_t SoftPatchPtr2;
PPVOID TlsExpansionSlots;
#ifdef X64
PVOID DeallocationBStore;
PVOID BStoreLimit;
#endif
DWORD ImpersonationLocale;
DWORD IsImpersonating;
PVOID NlsCache;
PVOID pShimData;
DWORD HeapVirtualAffinity;
PVOID CurrentTransactionHandle;
PVOID ActiveFrame;
PPVOID FlsData;
#ifndef PRE_VISTA_TEB
PVOID PreferredLanguages;
PVOID UserPrefLanguages;
PVOID MergedPrefLanguages;
ULONG MuiImpersonation;
union {
USHORT CrossTebFlags;
USHORT SpareCrossTebFlags : 16;
};
union {
USHORT SameTebFlags;
struct {
USHORT SafeThunkCall : 1;
USHORT InDebugPrint : 1;
USHORT HasFiberData2 : 1;
USHORT SkipThreadAttach : 1;
USHORT WerInShipAssertCode : 1;
USHORT RanProcessInit : 1;
USHORT ClonedThread : 1;
USHORT SuppressDebugMsg : 1;
USHORT DisableUserStackWalk : 1;
USHORT RtlExceptionAttached : 1;
USHORT InitialThread : 1;
USHORT SessionAware : 1;
USHORT SpareSameTebBits : 4;
};
};
PVOID TxnScopeEntercallback;
PVOID TxnScopeExitCAllback;
PVOID TxnScopeContext;
ULONG LockCount;
ULONG SpareUlong0;
PVOID ResourceRetValue;
PVOID ReservedForWdf;
PVOID ReservedForCrt;
PVOID EffectiveContainerId;
#else
byte SafeThunkCall;
byte BooleanSpare[3];
#endif
} TEB;
typedef struct _THREAD_BASIC_INFORMATION {
NTSTATUS ExitStatus;
PNT_TIB TebBaseAddress;
CLIENT_ID ClientId;
KAFFINITY AffinityMask;
KPRIORITY Priority;
KPRIORITY BasePriority;
} THREAD_BASIC_INFORMATION, *PTHREAD_BASIC_INFORMATION;
typedef struct _SYSTEM_BASIC_INFORMATION {
ULONG Unknown;
ULONG MaximumIncrement;
ULONG PhysicalPageSize;
ULONG NumberOfPhysicalPages;
ULONG LowestPhysicalPage;
ULONG HighestPhysicalPage;
ULONG AllocationGranularity;
PVOID LowestUserAddress;
PVOID HighestUserAddress;
ULONG_PTR ActiveProcessors;
UCHAR NumberProcessors;
#ifdef X64
ULONG Unknown2;
#endif
} SYSTEM_BASIC_INFORMATION, *PSYSTEM_BASIC_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_INFORMATION {
USHORT ProcessorArchitecture;
USHORT ProcessorLevel;
USHORT ProcessorRevision;
USHORT Unknown;
ULONG FeatureBits;
} SYSTEM_PROCESSOR_INFORMATION, *PSYSTEM_PROCESSOR_INFORMATION;
typedef struct _SYSTEM_PERFORMANCE_INFORMATION {
LARGE_INTEGER IdleTime;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
ULONG ReadOperationCount;
ULONG WriteOperationCount;
ULONG OtherOperationCount;
ULONG AvailablePages;
ULONG TotalCommittedPages;
ULONG TotalCommitLimit;
ULONG PeakCommitment;
ULONG PageFaults;
ULONG WriteCopyFaults;
ULONG TranstitionFaults;
ULONG Reserved1;
ULONG DemandZeroFaults;
ULONG PagesRead;
ULONG PageReadIos;
ULONG Reserved2[2];
ULONG PageFilePagesWritten;
ULONG PageFilePagesWriteIos;
ULONG MappedFilePagesWritten;
ULONG PagedPoolUsage;
ULONG NonPagedPoolUsage;
ULONG PagedPoolAllocs;
ULONG PagedPoolFrees;
ULONG NonPagedPoolAllocs;
ULONG NonPagedPoolFrees;
ULONG TotalFreeSystemPtes;
ULONG SystemCodePage;
ULONG TotalSystemDriverPages;
ULONG TotalSystemCodePages;
ULONG SmallNonPagedLookasideListAllocateHits;
ULONG SmallPagedLookasieListAllocateHits;
ULONG Reserved3;
ULONG MmSystemCachePage;
ULONG PagedPoolPage;
ULONG SystemDriverPage;
ULONG FastReadNoWait;
ULONG FastReadWait;
ULONG FastReadResourceMiss;
ULONG FastReadNotPossible;
ULONG FastMdlReadNoWait;
ULONG FastMdlReadWait;
ULONG FastMdlReadResourceMiss;
ULONG FastMdlReadNotPossible;
ULONG MapDataNoWait;
ULONG MapDataWait;
ULONG MapDataNoWaitMiss;
ULONG MapDataWaitMiss;
ULONG PinMappedDataCount;
ULONG PinReadNoWait;
ULONG PinReadWait;
ULONG PinReadNoWaitMiss;
ULONG PinReadWaitMiss;
ULONG CopyReadNoWait;
ULONG CopyReadWait;
ULONG CopyReadNoWaitMiss;
ULONG CopyReadWaitMiss;
ULONG MdlReadNoWait;
ULONG MdlReadWait;
ULONG MdlReadNoWaitMiss;
ULONG MdlReadWaitMiss;
ULONG ReadAheadIos;
ULONG LazyWriteIos;
ULONG LazyWritePages;
ULONG DataFlushes;
ULONG DataPages;
ULONG ContextSwitches;
ULONG FirstLevelTbFills;
ULONG SecondLevelTbFills;
ULONG SystemCalls;
ULONG Unknown[4];
} SYSTEM_PERFORMANCE_INFORMATION, *PSYSTEM_PERFORMANCE_INFORMATION;
typedef struct _SYSTEM_TIME_OF_DAY_INFORMATION {
LARGE_INTEGER BootTime;
LARGE_INTEGER CurrentTime;
LARGE_INTEGER TimeZoneBias;
ULONG CurrentTimeZoneId;
} SYSTEM_TIME_OF_DAY_INFORMATION, *PSYSTEM_TIME_OF_DAY_INFORMATION;
typedef struct _SYSTEM_PROCESSOR_TIMES {
LARGE_INTEGER IdleTime;
LARGE_INTEGER KernelTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER DpcTime;
LARGE_INTEGER InterruptTime;
ULONG InterruptCount;
} SYSTEM_PROCESSOR_TIMES, *PSYSTEM_PROCESSOR_TIMES;
typedef struct _IO_COUNTERSEX {
LARGE_INTEGER ReadOperationCount;
LARGE_INTEGER WriteOperationCount;
LARGE_INTEGER OtherOperationCount;
LARGE_INTEGER ReadTransferCount;
LARGE_INTEGER WriteTransferCount;
LARGE_INTEGER OtherTransferCount;
} IO_COUNTERSEX, *PIO_COUNTERSEX;
typedef enum _THREAD_STATE {
StateInitialized,
StateReady,
StateRunning,
StateStandby,
StateTerminated,
StateWait,
StateTransition,
StateUnknown
} THREAD_STATE;
typedef enum _KWAIT_REASON {
Executive,
FreePage,
PageIn,
PoolAllocation,
DelayExecution,
Suspended,
UserRequest,
WrExecutive,
WrFreePage,
WrPageIn,
WrPoolAllocation,
WrDelayExecution,
WrSuspended,
WrUserRequest,
WrEventPair,
WrQueue,
WrLpcReceive,
WrVirtualMemory,
WrPageOut,
WrRendevous,
WrSpare2,
WrSpare3,
WrSpare4,
WrSpare5,
WrSpare6,
WrKernel
} KWAIT_REASON;
typedef struct _SYSTEM_THREADS {
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
ULONG WaitTime;
PVOID StartAddress;
CLIENT_ID ClientId;
KPRIORITY Priority;
KPRIORITY BasePriority;
ULONG ContextSwitchCount;
THREAD_STATE ThreadState;
KWAIT_REASON WaitReason;
ULONG Padding;
} SYSTEM_THREADS, *PSYSTEM_THREADS;
typedef struct _SYSTEM_PROCESSES {
ULONG NextEntryDelta;
ULONG ThreadCount;
LARGE_INTEGER WorkingSetPrivateSize;
ULONG HardFaultCount;
ULONG NumberOfThreadsHighWatermark;
ULONGLONG CycleTime;
LARGE_INTEGER CreateTime;
LARGE_INTEGER UserTime;
LARGE_INTEGER KernelTime;
UNICODE_STRING ProcessName;
KPRIORITY BasePriority;
HANDLE ProcessId;
HANDLE InheritedFromProcessId;
ULONG HandleCount;
ULONG SessionId;
ULONG_PTR PageDirectoryFrame;
VM_COUNTERS VmCounters;
SIZE_T PrivatePageCount;
IO_COUNTERSEX IoCounters;
SYSTEM_THREADS Threads[1];
} SYSTEM_PROCESSES, *PSYSTEM_PROCESSES;
typedef struct _SYSTEM_GLOBAL_FLAG {
ULONG GlobalFlag;
} SYSTEM_GLOBAL_FLAG, *PSYSTEM_GLOBAL_FLAG;
typedef struct _MEMORY_SECTION_NAME {
UNICODE_STRING SectionFileName;
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
#define SYMBOLIC_LINK_QUERY (0x1)
#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | SYMBOLIC_LINK_QUERY)
* Note the similarities to CreateThreadEx arg 11 below. Struct starts with size then
* after that looks kind of like an array of 16 byte (32 on 64-bit) elements corresponding
* to the IN and OUT informational ptrs. Each array elment consists of a ?flags? then
* the sizeof of the IN/OUT ptr buffer then the ptr itself then 0.
*/
typedef enum {
THREAD_INFO_ELEMENT_BUFFER_IS_INOUT = 0x00000,
THREAD_INFO_ELEMENT_BUFFER_IS_OUT = 0x10000,
THREAD_INFO_ELEMENT_BUFFER_IS_IN = 0x20000,
} thread_info_elm_buf_access_t;
typedef enum {
THREAD_INFO_ELEMENT_CLIENT_ID = 0x3,
THREAD_INFO_ELEMENT_TEB = 0x4,
THREAD_INFO_ELEMENT_NT_PATH_TO_EXE =
0x5,
* [ i.e. L"\??\c:\foo.exe" ] - IN */
THREAD_INFO_ELEMENT_EXE_STUFF = 0x6,
* - INOUT */
THREAD_INFO_ELEMENT_UNKNOWN_1 = 0x9,
* [ observed 1 ] - IN */
THREAD_INFO_ELEMENT_UNKNOWN_2 = 0x10000,
} thread_info_elm_buf_type_t;
typedef struct _thread_info_element_t {
ptr_uint_t flags;
size_t buffer_size;
void *buffer;
ptr_uint_t unknown;
} thread_info_elm_t;
typedef struct _exe_stuff_t {
OUT void *exe_entrypoint_addr;
ptr_uint_t unknown1[3];
uint32 unknown2[8];
} exe_stuff_t;
typedef struct _create_proc_thread_info_t {
size_t struct_size;
* flags = 0x20005
* buffer_size = varies (sizeof buffer string in bytes)
* buffer = wchar * : nt path to executable i.e. "\??\c:\foo.exe" - IN */
thread_info_elm_t nt_path_to_exe;
* flags = 0x10003
* buffer_size = sizeof(CLIENT_ID)
* buffer = PCLIENT_ID : OUT */
thread_info_elm_t client_id;
* flags = 0x6
* buffer_size = 0x30 (or 0x40 on 64-bit) == sizeof(exe_stuff_t)
* buffer = exe_stuff_t * : IN/OUT */
thread_info_elm_t exe_stuff;
* (and attempts to remove or re-arrange them caused the system call to fail,
* assuming I managed to do it right), there's more variation in the later fields
* (sometimes present, sometimes not) - most commonly there'll be nothing or just the
* TEB * info field (flags = 0x10003) which I've seen here a lot on 32bit. */
#if 0
thread_info_elm_t info[];
#endif
} create_proc_thread_info_t;
* NtCreateUserProcess above. */
typedef struct _create_thread_info_t {
size_t struct_size;
* I've never seen any variation elsewhere. Trying to swap the order caused the
* system call to fail when I tried it (assuming I did it right). */
* flags = 0x10003
* buffer_size = sizeof(CLIENT_ID)
* buffer = PCLIENT_ID : OUT */
thread_info_elm_t client_id;
* flags = 0x10004
* buffer_size = sizeof(CLIENT_ID)
* buffer = TEB ** : OUT */
thread_info_elm_t teb;
} create_thread_info_t;
* kernel (so 64-bit for WOW64). The second pointer points at this structure.
* However, be careful b/c the UNICODE_STRING structs are really UNICODE_STRING_64
* for WOW64.
*/
typedef struct _BASE_STATIC_SERVER_DATA {
UNICODE_STRING WindowsDirectory;
UNICODE_STRING WindowsSystemDirectory;
UNICODE_STRING NamedObjectDirectory;
USHORT WindowsMajorVersion;
USHORT WindowsMinorVersion;
USHORT BuildNumber;
} BASE_STATIC_SERVER_DATA, *PBASE_STATIC_SERVER_DATA;
#ifndef X64
typedef struct _BASE_STATIC_SERVER_DATA_64 {
UNICODE_STRING_64 WindowsDirectory;
UNICODE_STRING_64 WindowsSystemDirectory;
UNICODE_STRING_64 NamedObjectDirectory;
USHORT WindowsMajorVersion;
USHORT WindowsMinorVersion;
USHORT BuildNumber;
} BASE_STATIC_SERVER_DATA_64, *PBASE_STATIC_SERVER_DATA_64;
#endif
typedef struct _FILE_BOTH_DIR_INFORMATION {
ULONG NextEntryOffset;
ULONG FileIndex;
LARGE_INTEGER CreationTime;
LARGE_INTEGER LastAccessTime;
LARGE_INTEGER LastWriteTime;
LARGE_INTEGER ChangeTime;
LARGE_INTEGER EndOfFile;
LARGE_INTEGER AllocationSize;
ULONG FileAttributes;
ULONG FileNameLength;
ULONG EaSize;
CCHAR ShortNameLength;
WCHAR ShortName[12];
WCHAR FileName[1];
} FILE_BOTH_DIR_INFORMATION, *PFILE_BOTH_DIR_INFORMATION;
typedef enum _NT_PRODUCT_TYPE {
NtProductWinNt = 1,
NtProductLanManNt,
NtProductServer
} NT_PRODUCT_TYPE,
*PNT_PRODUCT_TYPE;
typedef enum _ALTERNATIVE_ARCHITECTURE_TYPE {
StandardDesign,
NEC98x86,
EndAlternatives
} ALTERNATIVE_ARCHITECTURE_TYPE;
typedef struct _KSYSTEM_TIME {
ULONG LowPart;
LONG High1Time;
LONG High2Time;
} KSYSTEM_TIME, *PKSYSTEM_TIME;
#define PROCESSOR_FEATURE_MAX 64
typedef struct _KUSER_SHARED_DATA {
ULONG TickCountLowDeprecated;
ULONG TickCountMultiplier;
volatile KSYSTEM_TIME InterruptTime;
volatile KSYSTEM_TIME SystemTime;
volatile KSYSTEM_TIME TimeZoneBias;
USHORT ImageNumberLow;
USHORT ImageNumberHigh;
WCHAR NtSystemRoot[260];
ULONG MaxStackTraceDepth;
ULONG CryptoExponent;
ULONG TimeZoneId;
ULONG LargePageMinimum;
ULONG Reserved2[7];
NT_PRODUCT_TYPE NtProductType;
BOOLEAN ProductTypeIsValid;
ULONG NtMajorVersion;
ULONG NtMinorVersion;
BOOLEAN ProcessorFeatures[PROCESSOR_FEATURE_MAX];
ULONG Reserved1;
ULONG Reserved3;
volatile ULONG TimeSlip;
ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
LARGE_INTEGER SystemExpirationDate;
ULONG SuiteMask;
BOOLEAN KdDebuggerEnabled;
volatile ULONG ActiveConsoleId;
volatile ULONG DismountCount;
ULONG ComPlusPackage;
ULONG LastSystemRITEventTickCount;
ULONG NumberOfPhysicalPages;
BOOLEAN SafeBootMode;
ULONG TraceLogging;
ULONGLONG Fill0;
ULONGLONG SystemCall[4];
union {
volatile KSYSTEM_TIME TickCount;
volatile ULONG64 TickCountQuad;
};
} KUSER_SHARED_DATA;
#define KUSER_SHARED_DATA_ADDRESS ((ULONG_PTR)0x7ffe0000)
* function declarations
*/
void
ntdll_init(void);
void
ntdll_exit(void);
NTSTATUS
nt_raw_close(HANDLE h);
bool
close_handle(HANDLE h);
#define DUPLICATE_SAME_ATTRIBUTES 0x00000004
NTSTATUS
duplicate_handle(HANDLE source_process, HANDLE source, HANDLE target_process,
HANDLE *target, ACCESS_MASK access, uint attributes, uint options);
ACCESS_MASK
nt_get_handle_access_rights(HANDLE handle);
typedef enum {
THREAD_EXITED,
THREAD_NOT_EXITED,
THREAD_EXIT_ERROR
} thread_exited_status_t;
thread_exited_status_t
is_thread_exited(HANDLE hthread);
thread_id_t
thread_id_from_handle(HANDLE h);
process_id_t
process_id_from_handle(HANDLE h);
process_id_t
process_id_from_thread_handle(HANDLE h);
HANDLE
process_handle_from_id(process_id_t pid);
HANDLE
thread_handle_from_id(thread_id_t tid);
PEB *
get_peb(HANDLE h);
PEB *
get_own_peb(void);
uint64
get_peb_maybe64(HANDLE h);
#ifdef X64
uint64
get_peb32(HANDLE process, HANDLE thread);
#endif
TEB *
get_teb(HANDLE h);
void *
get_ntdll_base(void);
#if !defined(NOT_DYNAMORIO_CORE_PROPER) && !defined(NOT_DYNAMORIO_CORE)
bool
is_in_ntdll(app_pc pc);
#endif
NTSTATUS
nt_remote_query_virtual_memory(HANDLE process, const byte *pc,
MEMORY_BASIC_INFORMATION *mbi, size_t mbilen, size_t *got);
size_t
query_virtual_memory(const byte *pc, MEMORY_BASIC_INFORMATION *mbi, size_t mbilen);
NTSTATUS
get_mapped_file_name(const byte *pc, PWSTR buf, USHORT buf_bytes);
* keep in mind base is now IN/OUT value, a NULL value means no preference
* will bump size up to PAGE_SIZE multiple */
NTSTATUS
nt_remote_allocate_virtual_memory(HANDLE process, void **base, size_t size, uint prot,
memory_commit_status_t commit);
NTSTATUS
nt_remote_free_virtual_memory(HANDLE process, void *base);
* keep in mind base is now IN/OUT value, a NULL value means no preference
*/
NTSTATUS
nt_allocate_virtual_memory(void **base, size_t size, uint prot,
memory_commit_status_t commit);
NTSTATUS
nt_commit_virtual_memory(void *base, size_t size, uint prot);
NTSTATUS
nt_decommit_virtual_memory(void *base, size_t size);
NTSTATUS
nt_free_virtual_memory(void *base);
bool
protect_virtual_memory(void *base, size_t size, uint prot, uint *old_prot);
bool
nt_remote_protect_virtual_memory(HANDLE process, void *base, size_t size, uint prot,
uint *old_prot);
bool
nt_read_virtual_memory(HANDLE process, const void *base, void *buffer,
size_t buffer_length, size_t *bytes_read);
bool
nt_write_virtual_memory(HANDLE process, void *base, const void *buffer,
size_t buffer_length, size_t *bytes_written);
NTSTATUS
nt_raw_read_virtual_memory(HANDLE process, const void *base, void *buffer,
size_t buffer_length, size_t *bytes_read);
NTSTATUS
nt_raw_write_virtual_memory(HANDLE process, void *base, const void *buffer,
size_t buffer_length, size_t *bytes_written);
void
nt_continue(CONTEXT *cxt);
NTSTATUS
nt_get_context(HANDLE hthread, CONTEXT *cxt);
NTSTATUS
nt_set_context(HANDLE hthread, CONTEXT *cxt);
bool
nt_is_thread_terminating(HANDLE hthread);
bool
nt_thread_suspend(HANDLE hthread, int *previous_suspend_count);
bool
nt_thread_resume(HANDLE hthread, int *previous_suspend_count);
#if !defined(NOT_DYNAMORIO_CORE_PROPER) && !defined(NOT_DYNAMORIO_CORE)
NTSTATUS
nt_thread_iterator_next(HANDLE hprocess, HANDLE cur_thread, HANDLE *next_thread,
ACCESS_MASK access);
#endif
bool
nt_terminate_thread(HANDLE hthread, NTSTATUS exit_code);
bool
nt_terminate_process(HANDLE hprocess, NTSTATUS exit_code);
NTSTATUS
nt_terminate_process_for_app(HANDLE hprocess, NTSTATUS exit_code);
NTSTATUS
nt_set_information_process_for_app(HANDLE hprocess, PROCESSINFOCLASS class, void *info,
ULONG info_len);
bool
am_I_sole_thread(HANDLE hthread, int *amI );
bool
check_sole_thread(void);
HANDLE
nt_create_and_set_timer(PLARGE_INTEGER due_time, LONG period);
bool
nt_sleep(PLARGE_INTEGER due_time);
void
nt_yield(void);
bool
nt_raise_exception(EXCEPTION_RECORD *pexcrec, CONTEXT *pcontext);
bool
nt_messagebox(const wchar_t *msg, const wchar_t *title);
bool
tls_alloc(int synch, uint *teb_offs );
bool
tls_calloc(int synch, uint *teb_offs , int num, uint alignment);
bool
tls_free(int synch, uint teb_offs);
bool
tls_cfree(int synch, uint teb_offs, int num);
int
bitmap_find_free_sequence(byte *rtl_bitmap, int bitmap_size, int num_requested_slots,
bool top_down, int align_which_slot,
uint alignment);
void
bitmap_mark_taken_sequence(byte *rtl_bitmap, int bitmap_size, int first_slot,
int last_slot_open_end);
void
bitmap_mark_freed_sequence(byte *rtl_bitmap, int bitmap_size, int first_slot,
int num_slots);
bool
get_process_mem_stats(HANDLE h, VM_COUNTERS *info);
NTSTATUS
get_process_mem_quota(HANDLE h, QUOTA_LIMITS *qlimits);
NTSTATUS
get_process_handle_count(HANDLE ph, ULONG *handle_count);
int
get_process_load(HANDLE h);
bool
is_wow64_process(HANDLE h);
bool
is_32bit_process(HANDLE h);
NTSTATUS
nt_get_drive_map(HANDLE process, PROCESS_DEVICEMAP_INFORMATION *map OUT);
void *
get_section_address(HANDLE h);
* Some are documented in the SDK CreateFileMapping */
#define SEC_LARGE_PAGES 0x80000000
#ifndef SEC_VLM
# define SEC_VLM 0x02000000
#endif
#define SEC_BASED_UNSUPPORTED 0x00200000
#define SEC_NO_CHANGE_UNSUPPORTED 0x00400000
bool
get_section_attributes(HANDLE h, uint *section_attributes ,
LARGE_INTEGER *section_size );
NTSTATUS
nt_query_value_key(IN HANDLE key, IN PUNICODE_STRING value_name,
IN KEY_VALUE_INFORMATION_CLASS class, OUT PVOID info,
IN ULONG info_length, OUT PULONG res_length);
HANDLE
reg_create_key(HANDLE parent, PCWSTR keyname, ACCESS_MASK rights);
HANDLE
reg_open_key(PCWSTR keyname, ACCESS_MASK rights);
bool
reg_close_key(HANDLE hkey);
bool
reg_delete_key(HANDLE hkey);
typedef enum _reg_query_value_result {
REG_QUERY_FAILURE,
REG_QUERY_BUFFER_TOO_SMALL,
REG_QUERY_SUCCESS
} reg_query_value_result_t;
reg_query_value_result_t
reg_query_value(PCWSTR hkey, PCWSTR subkey, KEY_VALUE_INFORMATION_CLASS key_class,
PVOID info, ULONG info_size, ACCESS_MASK rights);
bool
reg_set_key_value(HANDLE hkey, PCWSTR subkey, PCWSTR val);
bool
reg_set_dword_key_value(HANDLE hkey, PCWSTR subkey, DWORD val);
bool
reg_flush_key(HANDLE hkey);
bool
reg_enum_key(PCWSTR keyname, ULONG index, KEY_INFORMATION_CLASS info_class,
PVOID key_info, ULONG key_info_size);
bool
reg_enum_value(PCWSTR keyname, ULONG index, KEY_VALUE_INFORMATION_CLASS key_class,
PVOID key_info, ULONG key_info_length);
bool
env_get_value(PCWSTR var, wchar_t *val, size_t valsz);
#define LengthRequiredSID(subauthorities) \
(sizeof(SID) - (ANYSIZE_ARRAY * sizeof(DWORD)) \
+ ((subauthorities) * sizeof(DWORD)))
#ifndef SECURITY_MAX_SID_SIZE
# define SECURITY_MAX_SID_SIZE (LengthRequiredSID(SID_MAX_SUB_AUTHORITIES))
#endif
* we need to keep track of winnt.h
*/
#define SECURITY_MAX_TOKEN_SIZE (SECURITY_MAX_SID_SIZE + sizeof(SID_AND_ATTRIBUTES))
NTSTATUS
get_primary_user_token(PTOKEN_USER ptoken, USHORT token_buffer_length);
NTSTATUS
get_current_user_token(PTOKEN_USER ptoken, USHORT token_buffer_length);
NTSTATUS
get_primary_owner_token(PTOKEN_OWNER powner, USHORT owner_buffer_length);
NTSTATUS
get_current_user_SID(PWSTR sid_string, USHORT buffer_length);
bool
get_owner_sd(PISECURITY_DESCRIPTOR SecurityDescriptor, PSID *Owner);
void
initialize_security_descriptor(PISECURITY_DESCRIPTOR SecurityDescriptor);
bool
set_owner_sd(PISECURITY_DESCRIPTOR SecurityDescriptor, PSID Owner);
bool
equal_sid(IN PSID Sid1, IN PSID Sid2);
void
initialize_known_SID(PSID_IDENTIFIER_AUTHORITY IdentifierAuthority, ULONG SubAuthority0,
SID *pSid);
NTSTATUS
query_seg_descriptor(HANDLE hthread, DESCRIPTOR_TABLE_ENTRY *entry);
NTSTATUS
query_win32_start_addr(HANDLE hthread, PVOID start_addr);
NTSTATUS
query_system_info(SYSTEM_INFORMATION_CLASS info_class, int info_size, PVOID info);
bool
query_full_attributes_file(PCWSTR filename, PFILE_NETWORK_OPEN_INFORMATION info);
* them here */
#define FILE_ANY_ACCESS 0
#define FILE_SPECIAL_ACCESS (FILE_ANY_ACCESS)
#ifndef FILE_READ_ACCESS
# define FILE_READ_ACCESS (0x0001)
#endif
#ifndef FILE_WRITE_ACCESS
# define FILE_WRITE_ACCESS (0x0002)
#endif
#define FILE_SHARE_VALID_FLAGS 0x00000007
#define FILE_ATTRIBUTE_VALID_FLAGS 0x00007fb7
#define FILE_ATTRIBUTE_VALID_SET_FLAGS 0x000031a7
#define FILE_DIRECTORY_FILE 0x00000001
#define FILE_WRITE_THROUGH 0x00000002
#define FILE_SEQUENTIAL_ONLY 0x00000004
#define FILE_NO_INTERMEDIATE_BUFFERING 0x00000008
#define FILE_SYNCHRONOUS_IO_ALERT 0x00000010
#define FILE_SYNCHRONOUS_IO_NONALERT 0x00000020
#define FILE_NON_DIRECTORY_FILE 0x00000040
#define FILE_CREATE_TREE_CONNECTION 0x00000080
#define FILE_COMPLETE_IF_OPLOCKED 0x00000100
#define FILE_NO_EA_KNOWLEDGE 0x00000200
#define FILE_OPEN_FOR_RECOVERY 0x00000400
#define FILE_OPEN_REMOTE_INSTANCE 0x00000400
#define FILE_RANDOM_ACCESS 0x00000800
#define FILE_DELETE_ON_CLOSE 0x00001000
#define FILE_OPEN_BY_FILE_ID 0x00002000
#define FILE_OPEN_FOR_BACKUP_INTENT 0x00004000
#define FILE_NO_COMPRESSION 0x00008000
#define FILE_RESERVE_OPFILTER 0x00100000
#define FILE_OPEN_REPARSE_POINT 0x00200000
#define FILE_OPEN_NO_RECALL 0x00400000
#define FILE_OPEN_FOR_FREE_SPACE_QUERY 0x00800000
#define FILE_COPY_STRUCTURED_STORAGE 0x00000041
#define FILE_STRUCTURED_STORAGE 0x00000441
#define FILE_VALID_OPTION_FLAGS 0x00ffffff
#define FILE_VALID_PIPE_OPTION_FLAGS 0x00000032
#define FILE_VALID_MAILSLOT_OPTION_FLAGS 0x00000032
#define FILE_VALID_SET_FLAGS 0x00000036
#define FILE_SUPERSEDED 0x00000000
#define FILE_OPENED 0x00000001
#define FILE_CREATED 0x00000002
#define FILE_OVERWRITTEN 0x00000003
#define FILE_EXISTS 0x00000004
#define FILE_DOES_NOT_EXIST 0x00000005
#define FILE_SUPERSEDE 0x00000000
#define FILE_OPEN 0x00000001
#define FILE_CREATE 0x00000002
#define FILE_OPEN_IF 0x00000003
#define FILE_OVERWRITE 0x00000004
#define FILE_OVERWRITE_IF 0x00000005
#define FILE_MAXIMUM_DISPOSITION 0x00000005
#define FILE_DISPOSITION_SET_OWNER 0x10000000
#define FILE_WRITE_TO_END_OF_FILE 0xffffffff
#define FILE_USE_FILE_POINTER_POSITION 0xfffffffe
#if _MSC_VER <= 1200
* overlapped (i.e. asynch io) then TransactNamedPipe specifically checks for
* this value to determine whether or not it should wait on the pipe, this is
* the only return code it specifically checks for */
# define STATUS_PENDING 0x103
#endif
#define FILE_DEVICE_FILE_SYSTEM 0x00000009
#define FILE_DEVICE_NAMED_PIPE 0x00000011
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS)0xC0000004L)
#define STATUS_NOT_IMPLEMENTED ((NTSTATUS)0xC0000002L)
#define STATUS_NO_SUCH_FILE ((NTSTATUS)0xC000000FL)
#define STATUS_CONFLICTING_ADDRESSES ((NTSTATUS)0xC0000018L)
* the file beyond this marker.
*/
#define STATUS_END_OF_FILE ((NTSTATUS)0xC0000011L)
#define STATUS_INVALID_ADDRESS ((NTSTATUS)0xC0000141L)
#define STATUS_BUFFER_OVERFLOW ((NTSTATUS)0x80000005L)
#define STATUS_NO_MORE_FILES ((NTSTATUS)0x80000006L)
* section of memory cannot be read. */
#define STATUS_INVALID_FILE_FOR_SECTION ((NTSTATUS)0xC0000020L)
* has not been granted those access rights.*/
#define STATUS_ACCESS_DENIED ((NTSTATUS)0xC0000022L)
* written to the buffer." */
#define STATUS_BUFFER_TOO_SMALL ((NTSTATUS)0xC0000023L)
* and the type of object that is specified in the request.
*/
#define STATUS_OBJECT_TYPE_MISMATCH ((NTSTATUS)0xC0000024L)
#define STATUS_OBJECT_NAME_INVALID ((NTSTATUS)0xC0000033L)
#define STATUS_OBJECT_NAME_NOT_FOUND ((NTSTATUS)0xC0000034L)
#define STATUS_OBJECT_NAME_COLLISION ((NTSTATUS)0xC0000035L)
#define STATUS_OBJECT_PATH_INVALID ((NTSTATUS)0xC0000039L)
#define STATUS_OBJECT_PATH_NOT_FOUND ((NTSTATUS)0xC000003AL)
#define STATUS_SECTION_TOO_BIG ((NTSTATUS)0xC0000040L)
#define STATUS_SHARING_VIOLATION ((NTSTATUS)0xC0000043L)
#define STATUS_INVALID_PAGE_PROTECTION ((NTSTATUS)0xC0000045L)
#define STATUS_FILE_LOCK_CONFLICT ((NTSTATUS)0xC0000054L)
#define STATUS_DELETE_PENDING ((NTSTATUS)0xC0000056L)
* is no longer valid.
*/
#define STATUS_FILE_INVALID ((NTSTATUS)0xC0000098L)
* caller specified that it could be anything but a directory.
*/
#define STATUS_FILE_IS_A_DIRECTORY ((NTSTATUS)0xC00000BAL)
#define STATUS_OBJECT_NAME_EXISTS ((NTSTATUS)0x40000000L)
* "An image file could not be mapped at the address specified in the image file. "
* "Local fixups must be performed on this image."
*/
#define STATUS_IMAGE_NOT_AT_BASE ((NTSTATUS)0x40000003L)
#if !defined(STATUS_NO_MEMORY)
* is available to complete the specified operation. */
# define STATUS_NO_MEMORY ((NTSTATUS)0xC0000017L)
#endif
#define STATUS_PAGEFILE_QUOTA_EXCEEDED ((NTSTATUS)0xC000012CL)
* ensure that Windows runs properly, increase the size of your
* virtual memory paging file. For more information, see Help.
*/
#define STATUS_COMMITMENT_LIMIT ((NTSTATUS)0xC000012DL)
* as well as when a process in a Job reaches its ProcessMemoryLimit
*/
* memory. Windows is increasing the size of your virtual memory
* paging file. During this process, memory requests for some
* applications may be denied. For more information, see Help.
*/
#define STATUS_COMMITMENT_MINIMUM ((NTSTATUS)0xC00002C8L)
#define EXCEPTION_THROWN 0xe06d7363
#define STATUS_PROCESS_NOT_IN_JOB ((NTSTATUS)0x00000123L)
#define STATUS_PROCESS_IN_JOB ((NTSTATUS)0x00000124L)
#define STATUS_NO_SUCH_PRIVILEGE ((NTSTATUS)0xC0000060L)
#define STATUS_PRIVILEGE_NOT_HELD ((NTSTATUS)0xC0000061L)
#define STATUS_CALLBACK_POP_STACK ((NTSTATUS)0xC0000423L)
#define STATUS_INVALID_INFO_CLASS ((NTSTATUS)0xC0000003L)
* zero.
*/
#define STATUS_MAPPED_FILE_SIZE_ZERO ((NTSTATUS)0xC000011EL)
#define STATUS_PARTIAL_COPY ((NTSTATUS)0x8000000DL)
#ifndef STATUS_INVALID_PARAMETER
# define STATUS_INVALID_PARAMETER ((NTSTATUS)0xC000000DL)
#endif
#define STATUS_NOT_MAPPED_DATA ((NTSTATUS)0xC0000088L)
#define STATUS_INVALID_PARAMETER_1 ((NTSTATUS)0xC00000EFL)
#define STATUS_INVALID_PARAMETER_2 ((NTSTATUS)0xC00000F0L)
#define STATUS_INVALID_PARAMETER_3 ((NTSTATUS)0xC00000F1L)
#define STATUS_INVALID_PARAMETER_4 ((NTSTATUS)0xC00000F2L)
#define STATUS_INVALID_PARAMETER_5 ((NTSTATUS)0xC00000F3L)
#define STATUS_INVALID_PARAMETER_6 ((NTSTATUS)0xC00000F4L)
#define STATUS_INVALID_PARAMETER_7 ((NTSTATUS)0xC00000F5L)
#define STATUS_INVALID_PARAMETER_8 ((NTSTATUS)0xC00000F6L)
#define STATUS_INVALID_PARAMETER_9 ((NTSTATUS)0xC00000F7L)
#define STATUS_INVALID_PARAMETER_10 ((NTSTATUS)0xC00000F8L)
#define STATUS_INVALID_PARAMETER_11 ((NTSTATUS)0xC00000F9L)
#define STATUS_INVALID_PARAMETER_12 ((NTSTATUS)0xC00000FAL)
#define STATUS_THREAD_IS_TERMINATING ((NTSTATUS)0xC000004BL)
#define STATUS_PROCESS_IS_TERMINATING ((NTSTATUS)0xC000010AL)
#define STATUS_NOT_A_REPARSE_POINT ((NTSTATUS)0xC0000275L)
#define STATUS_PIPE_NOT_AVAILABLE ((NTSTATUS)0xC00000ACL)
#ifndef IMAGE_SIZEOF_BASE_RELOCATION
# define IMAGE_SIZEOF_BASE_RELOCATION 8
#endif
NTSTATUS
nt_create_file(OUT HANDLE *file_handle, const wchar_t *filename,
HANDLE dir_handle OPTIONAL, size_t alloc_size, ACCESS_MASK rights,
uint attributes, uint sharing, uint create_disposition,
uint create_options);
* on the returned handle */
HANDLE
create_file(PCWSTR filename, bool is_dir, ACCESS_MASK rights, uint sharing,
uint create_disposition, bool synch);
#if !defined(NOT_DYNAMORIO_CORE_PROPER) && !defined(NOT_DYNAMORIO_CORE)
NTSTATUS
nt_open_file(HANDLE *handle OUT, PCWSTR filename, ACCESS_MASK rights, uint sharing,
uint options);
#endif
NTSTATUS
nt_delete_file(PCWSTR nt_filename);
NTSTATUS
nt_flush_file_buffers(HANDLE file_handle);
bool
read_file(HANDLE file_handle, void *buffer, uint num_bytes_to_read,
IN uint64 *file_byte_offset OPTIONAL, OUT size_t *num_bytes_read);
bool
write_file(HANDLE file_handle, const void *buffer, uint num_bytes_to_write,
OPTIONAL uint64 *file_byte_offset, OUT size_t *num_bytes_written);
bool
close_file(HANDLE hfile);
typedef struct _FILE_STANDARD_INFORMATION {
LARGE_INTEGER AllocationSize;
LARGE_INTEGER EndOfFile;
ULONG NumberOfLinks;
BOOLEAN DeletePending;
BOOLEAN Directory;
} FILE_STANDARD_INFORMATION, *PFILE_STANDARD_INFORMATION;
typedef struct _FILE_INTERNAL_INFORMATION {
LARGE_INTEGER IndexNumber;
} FILE_INTERNAL_INFORMATION, *PFILE_INTERNAL_INFORMATION;
typedef struct _FILE_POSITION_INFORMATION {
LARGE_INTEGER CurrentByteOffset;
} FILE_POSITION_INFORMATION, *PFILE_POSITION_INFORMATION;
typedef struct _FILE_ALIGNMENT_INFORMATION {
ULONG AlignmentRequirement;
} FILE_ALIGNMENT_INFORMATION, *PFILE_ALIGNMENT_INFORMATION;
#define MAX_FILE_NAME_LENGTH MAX_PATH
typedef struct _FILE_NAME_INFORMATION {
ULONG FileNameLength;
WCHAR FileName[MAX_FILE_NAME_LENGTH];
* callers control the length they are interested in */
} FILE_NAME_INFORMATION, *PFILE_NAME_INFORMATION;
typedef struct _FILE_RENAME_INFORMATION {
BOOLEAN ReplaceIfExists;
HANDLE RootDirectory;
ULONG FileNameLength;
WCHAR FileName[MAX_FILE_NAME_LENGTH];
} FILE_RENAME_INFORMATION, *PFILE_RENAME_INFORMATION;
typedef struct _FILE_ATTRIBUTE_TAG_INFORMATION {
ULONG FileAttributes;
ULONG ReparseTag;
} FILE_ATTRIBUTE_TAG_INFORMATION, *PFILE_ATTRIBUTE_TAG_INFORMATION;
typedef struct _FILE_DISPOSITION_INFORMATION {
BOOLEAN DeleteFile;
} FILE_DISPOSITION_INFORMATION, *PFILE_DISPOSITION_INFORMATION;
typedef struct _FILE_END_OF_FILE_INFORMATION {
LARGE_INTEGER EndOfFile;
} FILE_END_OF_FILE_INFORMATION, *PFILE_END_OF_FILE_INFORMATION;
typedef struct _FILE_VALID_DATA_LENGTH_INFORMATION {
LARGE_INTEGER ValidDataLength;
} FILE_VALID_DATA_LENGTH_INFORMATION, *PFILE_VALID_DATA_LENGTH_INFORMATION;
HANDLE
nt_create_event(EVENT_TYPE event_type);
void
nt_close_event(HANDLE hevent);
typedef enum { WAIT_TIMEDOUT, WAIT_SIGNALED, WAIT_ERROR } wait_status_t;
#define INFINITE_WAIT ((PLARGE_INTEGER)NULL)
wait_status_t
nt_wait_event_with_timeout(HANDLE hevent, PLARGE_INTEGER timeout);
void
nt_set_event(HANDLE hevent);
void
nt_clear_event(HANDLE hevent);
void
nt_signal_and_wait(HANDLE hevent_to_signal, HANDLE hevent_to_wait);
HANDLE
create_iocompletion(void);
HANDLE
open_pipe(PCWSTR pipename, HANDLE hsync);
size_t
nt_pipe_transceive(HANDLE hpipe, void *input, uint input_size, void *output,
uint output_size, uint timeout_ms);
#define TIMER_UNITS_PER_MILLISECOND (1000 * 10)
#define TIMER_UNITS_PER_MICROSECOND (10)
wchar_t *
get_process_param_buf(RTL_USER_PROCESS_PARAMETERS *params, wchar_t *buf);
void
convert_100ns_to_system_time(uint64 time_in_100ns, SYSTEMTIME *st OUT);
void
convert_system_time_to_100ns(const SYSTEMTIME *st, uint64 *time_in_100ns OUT);
LONGLONG
query_time_100ns(void);
void
query_system_time(SYSTEMTIME *st OUT);
void
nt_query_performance_counter(PLARGE_INTEGER counter, PLARGE_INTEGER frequency);
#ifdef WINDOWS_PC_SAMPLE
HANDLE
nt_create_profile(HANDLE process_handle, void *start, uint size, uint *buffer,
uint buffer_size, uint shift);
void
nt_set_profile_interval(uint nanoseconds);
int
nt_query_profile_interval(void);
void
nt_start_profile(HANDLE profile_handle);
void
nt_stop_profile(HANDLE profile_handle);
#endif
#if !defined(NOT_DYNAMORIO_CORE) && !defined(NOT_DYNAMORIO_CORE_PROPER)
* (e.g., \SystemRoot\System32\notepad.exe, or \??\c:\foo\bar.exe)
* The executable name on the command line can be in any form.
* On success returns a handle for the child
* On failure returns INVALID_HANDLE_VALUE
*/
HANDLE
create_process(wchar_t *exe, wchar_t *cmdline);
* function can NOT return from their start routine.
* On Win8+, the kernel owns the created stack; o/w, we own it.
* On Win8+, if arg_buf != NULL, it's placed in a new virtual alloc and it's
* up to the caller to free it.
*/
HANDLE
our_create_thread(HANDLE hProcess, bool target_64bit, void *start_addr, void *arg,
const void *arg_buf, size_t arg_buf_size, uint stack_reserve,
uint stack_commit, bool suspended, thread_id_t *tid);
HANDLE
our_create_thread_have_stack(HANDLE hProcess, bool target_64bit, void *start_addr,
void *arg, const void *arg_buf, size_t arg_buf_size,
byte *stack_base, size_t stack_size, bool suspended,
thread_id_t *tid);
void
our_create_thread_wrapper(void *param);
* (where the returned context is undefined) so use this to get the context
* of the current thread */
* also if integer or control does both
* Xref PR 264138 where we have to preserve xmm registers: however, no
* current uses need to get our own xmm registers, so we don't.
* PR 266070: If any future use uses this context to either set a
* priv_mcontext_t or passes it to nt_set_context() we'll have to add
* the xmm regs.
*/
* function (we don't want ebp/esp to point to a leaf routine's stack frame) */
# define GET_OWN_CONTEXT(cxt) \
{ \
if (TESTANY(CONTEXT_CONTROL | CONTEXT_INTEGER, (cxt)->ContextFlags)) { \
byte *__get_own_context_cur_esp; \
get_own_context_helper((cxt)); \
GET_STACK_PTR(__get_own_context_cur_esp); \
(cxt)->CXT_XSP = (reg_t)__get_own_context_cur_esp; \
} \
get_own_context((cxt)); \
}
void
get_own_context_integer_control(CONTEXT *cxt, reg_t cs, reg_t ss, priv_mcontext_t *mc);
* in CONTEXT_INTEGER and CONTEXT_CONTROL values, this fills the rest) */
void
get_own_context(CONTEXT *cxt);
#endif
enum {
X64_PEB_TIB_OFFSET = 0x060,
X86_PEB_TIB_OFFSET = 0x030,
X64_SELF_TIB_OFFSET = 0x030,
X86_SELF_TIB_OFFSET = 0x018,
X64_LDR_PEB_OFFSET = 0x018,
X64_IMAGE_BASE_PEB_OFFSET = 0x010,
X86_IMAGE_BASE_PEB_OFFSET = 0x008,
X64_PROCESS_PARAM_PEB_OFFSET = 0x020,
X86_PROCESS_PARAM_PEB_OFFSET = 0x010,
};
LDR_MODULE *
get_ldr_module_by_name(wchar_t *name);
;
bool
ldr_module_statically_linked(LDR_MODULE *mod);
#ifndef X64
uint64
get_own_x64_peb(void);
HANDLE
load_library_64(const char *path);
bool
free_library_64(HANDLE lib);
uint64
get_module_handle_64(const wchar_t *name);
uint64
get_proc_address_64(uint64 lib, const char *name);
bool
remote_protect_virtual_memory_64(HANDLE process, uint64 base, size_t size, uint prot,
uint *old_prot);
#endif
uint64
find_remote_dll_base(HANDLE phandle, bool find64bit, char *dll_name);
uint64
get_remote_proc_address(HANDLE process, uint64 remote_base, const char *name);
bool
get_remote_dll_short_name(HANDLE process, uint64 remote_base, OUT char *name,
size_t name_len, OUT bool *is_64);
bool
remote_protect_virtual_memory_maybe64(HANDLE process, uint64 base, size_t size, uint prot,
uint *old_prot);
NTSTATUS
remote_query_virtual_memory_maybe64(HANDLE process, uint64 addr,
MEMORY_BASIC_INFORMATION64 *mbi, size_t mbilen,
uint64 *got);
IMAGE_EXPORT_DIRECTORY *
get_module_exports_directory(app_pc base_addr, size_t *exports_size );
IMAGE_EXPORT_DIRECTORY *
get_module_exports_directory_check(app_pc base_addr,
size_t *exports_size ,
bool check_names);
* is, at least in the platforms we've seen so far, just a pointer to the base
* address of the dll. We use separate types here to keep things neat.
* module_handle_t is a pointer to an opaque struct to improve type safety, but
* internally we use module_base_t which can be freely converted to HMODULE,
* HANDLE, byte*, and app_pc.
*/
* that into drpreinject or drinjectlib.
*/
struct _module_handle_t;
typedef struct _module_handle_t *module_handle_t;
typedef void *module_base_t;
module_handle_t
load_library(wchar_t *lib_name);
bool
free_library(module_handle_t lib);
module_handle_t
get_module_handle(const wchar_t *lib_name);
* Needed for IMAGE_COR20_HEADER
*/
#ifndef __IMAGE_COR20_HEADER_DEFINED__
# define __IMAGE_COR20_HEADER_DEFINED__
typedef enum replaces_cor_hdr_numeric_defines_t {
COMIMAGE_FLAGS_ILONLY = 0x00000001,
COMIMAGE_FLAGS_32BITREQUIRED = 0x00000002,
COMIMAGE_FLAGS_IL_LIBRARY = 0x00000004,
COMIMAGE_FLAGS_STRONGNAMESIGNED = 0x00000008,
COMIMAGE_FLAGS_TRACKDEBUGDATA = 0x00010000,
COR_VERSION_MAJOR_V2 = 2,
COR_VERSION_MAJOR = COR_VERSION_MAJOR_V2,
COR_VERSION_MINOR = 0,
COR_DELETED_NAME_LENGTH = 8,
COR_VTABLEGAP_NAME_LENGTH = 8,
NATIVE_TYPE_MAX_CB = 1,
COR_ILMETHOD_SECT_SMALL_MAX_DATASIZE = 0xFF,
IMAGE_COR_MIH_METHODRVA = 0x01,
IMAGE_COR_MIH_EHRVA = 0x02,
IMAGE_COR_MIH_BASICBLOCK = 0x08,
COR_VTABLE_32BIT = 0x01,
COR_VTABLE_64BIT = 0x02,
COR_VTABLE_FROM_UNMANAGED = 0x04,
COR_VTABLE_CALL_MOST_DERIVED = 0x10,
I MAGE_COR_EATJ_THUNK_SIZE = 32,
MAX_CLASS_NAME = 1024,
MAX_PACKAGE_NAME = 1024,
} replaces_cor_hdr_numeric_defines_t;
typedef struct IMAGE_COR20_HEADER {
DWORD cb;
WORD MajorRuntimeVersion;
WORD MinorRuntimeVersion;
IMAGE_DATA_DIRECTORY MetaData;
DWORD Flags;
DWORD EntryPointToken;
IMAGE_DATA_DIRECTORY Resources;
IMAGE_DATA_DIRECTORY StrongNameSignature;
IMAGE_DATA_DIRECTORY CodeManagerTable;
IMAGE_DATA_DIRECTORY VTableFixups;
IMAGE_DATA_DIRECTORY ExportAddressTableJumps;
IMAGE_DATA_DIRECTORY ManagedNativeHeader;
} IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;
#endif
#ifndef IMAGE_SCN_ALIGN_MASK
# define IMAGE_SCN_ALIGN_MASK 0x00F00000
#endif
NTSTATUS
nt_initialize_shared_directory(HANDLE *shared_directory , bool permanent);
NTSTATUS
nt_open_object_directory(HANDLE *shared_directory , PCWSTR object_directory_name,
bool allow_creation);
void
nt_close_object_directory(HANDLE hobjdir);
NTSTATUS
nt_get_symlink_target(IN HANDLE directory_handle, IN PCWSTR symlink_name,
IN OUT UNICODE_STRING *target_name, OUT uint *returned_byte_length);
#define MAX_OBJECT_NAME_LENGTH MAX_PATH
typedef struct _OBJECT_NAME_INFORMATION {
UNICODE_STRING ObjectName;
* yet we do not expect needs for longer */
wchar_t object_name_buffer[MAX_OBJECT_NAME_LENGTH];
} OBJECT_NAME_INFORMATION, *POBJECT_NAME_INFORMATION;
NTSTATUS
wchar_to_unicode(PUNICODE_STRING dst, PCWSTR src);
NTSTATUS
nt_get_object_name(HANDLE handle, OBJECT_NAME_INFORMATION *object_name ,
uint byte_length, uint *returned_byte_length);
NTSTATUS
nt_create_section(OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess,
IN PLARGE_INTEGER SectionSize OPTIONAL, IN ULONG Protect,
IN ULONG section_creation_attributes, IN HANDLE FileHandle,
IN PCWSTR new_section_name, IN ULONG object_name_attributes,
IN HANDLE object_directory, IN PSECURITY_DESCRIPTOR dacl);
NTSTATUS
nt_open_section(OUT PHANDLE SectionHandle, IN ACCESS_MASK DesiredAccess,
IN PCWSTR section_name, IN ULONG object_name_attributes,
IN HANDLE object_directory);
NTSTATUS
nt_create_module_file(OUT HANDLE *file_handle, const wchar_t *file_path,
IN HANDLE root_directory_handle OPTIONAL,
ACCESS_MASK desired_access_rights, uint file_special_attributes,
uint file_sharing_flags, uint create_disposition,
size_t allocation_size);
NTSTATUS
nt_query_file_info(IN HANDLE FileHandle, OUT PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass);
NTSTATUS
nt_set_file_info(IN HANDLE FileHandle, IN PVOID FileInformation,
IN ULONG FileInformationLength,
IN FILE_INFORMATION_CLASS FileInformationClass);
NTSTATUS
nt_query_volume_info(IN HANDLE FileHandle, OUT PVOID FsInformation,
IN ULONG FsInformationLength,
IN FS_INFORMATION_CLASS FsInformationClass);
NTSTATUS
nt_query_security_object(IN HANDLE Handle, IN SECURITY_INFORMATION RequestedInformation,
OUT PSECURITY_DESCRIPTOR SecurityDescriptor,
IN ULONG SecurityDescriptorLength, OUT PULONG ReturnLength);
* SHARED NON-RAW NTDLL WRAPPERS
*
* These are ones for which there's no extra value we want to add in
* an nt_() routine of our own, but we want to share (typically between
* ntdll.c and drwinapi/).
*/
GET_NTDLL(RtlEnterCriticalSection, (IN OUT RTL_CRITICAL_SECTION * crit));
GET_NTDLL(RtlLeaveCriticalSection, (IN OUT RTL_CRITICAL_SECTION * crit));
GET_NTDLL(NtWaitForSingleObject,
(IN HANDLE ObjectHandle, IN BOOLEAN Alertable, IN PLARGE_INTEGER TimeOut));
GET_NTDLL(NtFsControlFile,
(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock, IN ULONG FsControlCode,
IN PVOID InputBuffer OPTIONAL, IN ULONG InputBufferLength,
OUT PVOID OutputBuffer OPTIONAL, IN ULONG OutputBufferLength));
GET_NTDLL(NtReadFile,
(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock, OUT PVOID Buffer, IN ULONG Length,
IN PLARGE_INTEGER ByteOffset OPTIONAL, IN PULONG Key OPTIONAL));
GET_NTDLL(NtWriteFile,
(IN HANDLE FileHandle, IN HANDLE Event OPTIONAL,
IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, IN PVOID ApcContext OPTIONAL,
OUT PIO_STATUS_BLOCK IoStatusBlock,
IN const void *Buffer,
IN ULONG Length, IN PLARGE_INTEGER ByteOffset OPTIONAL,
IN PULONG Key OPTIONAL));
* RAW WRAPPERS
*/
#if !defined(NOT_DYNAMORIO_CORE_PROPER) && !defined(NOT_DYNAMORIO_CORE)
NTSTATUS
nt_raw_CreateFile(PHANDLE file_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status_block,
PLARGE_INTEGER allocation_size, ULONG file_attributes,
ULONG share_access, ULONG create_disposition, ULONG create_options,
PVOID ea_buffer, ULONG ea_length);
NTSTATUS
nt_raw_OpenFile(PHANDLE file_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, PIO_STATUS_BLOCK io_status_block,
ULONG share_access, ULONG open_options);
NTSTATUS
nt_raw_OpenKey(PHANDLE key_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes);
NTSTATUS
nt_raw_OpenKeyEx(PHANDLE key_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, ULONG open_options);
NTSTATUS
nt_raw_OpenProcessTokenEx(HANDLE process_handle, ACCESS_MASK desired_access,
ULONG handle_attributes, PHANDLE token_handle);
NTSTATUS
nt_raw_OpenThread(PHANDLE thread_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id);
NTSTATUS
nt_raw_OpenThreadTokenEx(HANDLE thread_handle, ACCESS_MASK desired_access,
BOOLEAN open_as_self, ULONG handle_attributes,
PHANDLE token_handle);
NTSTATUS
nt_raw_QueryAttributesFile(POBJECT_ATTRIBUTES object_attributes,
PFILE_BASIC_INFORMATION file_information);
NTSTATUS
nt_raw_SetInformationFile(HANDLE file_handle, PIO_STATUS_BLOCK io_status_block,
PVOID file_information, ULONG length,
FILE_INFORMATION_CLASS file_information_class);
NTSTATUS
nt_raw_SetInformationThread(HANDLE thread_handle,
THREADINFOCLASS thread_information_class,
PVOID thread_information, ULONG thread_information_length);
NTSTATUS
nt_raw_UnmapViewOfSection(HANDLE process_handle, PVOID base_address);
#endif
NTSTATUS
nt_raw_OpenProcess(PHANDLE process_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, PCLIENT_ID client_id);
NTSTATUS
nt_raw_MapViewOfSection(HANDLE section_handle, HANDLE process_handle, PVOID *base_address,
ULONG_PTR zero_bits, SIZE_T commit_size,
PLARGE_INTEGER section_offset, PSIZE_T view_size,
SECTION_INHERIT inherit_disposition, ULONG allocation_type,
ULONG win32_protect);
NTSTATUS
nt_raw_QueryFullAttributesFile(POBJECT_ATTRIBUTES object_attributes,
PFILE_NETWORK_OPEN_INFORMATION file_information);
NTSTATUS
nt_raw_CreateKey(PHANDLE key_handle, ACCESS_MASK desired_access,
POBJECT_ATTRIBUTES object_attributes, ULONG title_index,
PUNICODE_STRING class, ULONG create_options, PULONG disposition);
NTSTATUS
nt_raw_OpenThreadToken(HANDLE thread_handle, ACCESS_MASK desired_access,
BOOLEAN open_as_self, PHANDLE token_handle);
NTSTATUS
nt_raw_OpenProcessToken(HANDLE process_handle, ACCESS_MASK desired_access,
PHANDLE token_handle);
#define HEAP_CLASS_PRIVATE 0x00001000
#endif